What is a strong password,
how do you know if a password is strong and how do you pick one? That’s what this is going to be about. Passwords are for security, they’re used to certify that one who has knowledge of the correct password has access to the system/information. That’s a very wide description and may thus result in all kinds of different levels of security that are needed. Does this password give you access to your bank account or only to a share with your music collection on your home LAN? What attackers can we expect, or more specifically how does one attack a password? This is the most important, because if we know that, we know what our passwords are up against.
Brute force attacks
are the most basic form of attacking. It merely consists of simply trying out any combination within set boundaries. The success rate of this type of attack is highly dependant on the complexity of the password. A 4-digit PIN-code for example would be extremely easy to break as there are only 10,000 possible combinations, 0000-9999 or 104. That would take a computer less a 1/1000 of a second to break (this is why these systems block an account after 3 failed attempts).
In our defence against these attacks we could choose to add more numbers, ten folding the complexity to break with each number, but this would generate a very hard to memorize sequence of numbers, because it needs to be very long. The other variable in the number of possibilities is the size of the character set. With the example this was only 10, but if we took the alphabet this would increase to 26. 264 = 456,976 and thus a 45-fold of complexity. Notice here how this complexity increase is exponential. This gets bigger as passwords get longer, 8 numeric characters vs. 8 alphabet characters: 108 = 100,000,000 and 268 = 208,827,064,576. This is a 2088-fold in complexity compared to 45-fold for 4 characters!
Of course these numbers are still very low in the computer world and it would only take a short while to try all possibilities. What we need is something that takes an attacker a disproportionate amount of time with current technology or with future technology. Because we now know the two components in the complexity we can choose how complex we want our passwords. Complexity is expressed by:
c = s n
Where:
c = complexity
s = character set
n = length
It’s relatively easy to enlarge both factors to a size where brute force attacks become completely impractical. As character set you have different blocks to choose from:
- a-z
- A-Z (capital letters are different, using them effectively doubles your character set)
- 0-9
- !@#$%^&*() (characters located under shift + 0-9)
- -=_+[]{};’\:”|,./<>?\|`~ (The rest of the characters on a US-int keyboard)
- Special characters: there may be more difficult characters normally not directly found on US-int keyboard such as the ß, ë, é, à, ö, ç, €, ¾, ², ³, ¤, etc. These are top notch, meaning that if you use them in your password you’ll make an extremely strong password, because there’s virtually unlimited numbers of them in different languages (ever used a Chinese character in a password?) Try hitting ctrl + alt + any random key in a text field so you can see the output, most of them yield a special character you probably never knew was there and you might even find useful in normal word-processing!
These sets or blocks of characters are normally attacked in this order. This means that attackers will normally first attack a limited set of characters (e.g. only a-z, A-Z, 0-9) and move towards adding more complex characters as they are unsuccessful or just give up. Key in this all is that you use at least one character from every block up to the highest possible, but it’s better to use more. If you use only up to block:
- 26 characters
- 52 characters
- 62 characters
- 72 characters
- 96 characters
- a whole lot of characters
The second factor is length. The longer your password, the safer. This is pretty straight forward. Longer is better. A simple guideline:
- n < 8 - Don't
- n < 10 - very short
- n < 12 - short
- n < 14 - medium
- n > 14 – recommended
Dictionary attacks
Another popular attack is the dictionary attack. This approach is pretty straight forward, you take a dictionary with a set of words and try them as passwords. You can choose a dictionary that is in the language of the end-user. This can be based on information found elsewhere. Maybe the attacker recognises the language from the username or google’s him or her. If this first attempt fails attacking software offers options to combine two or more words, vary capitalization, add numbers to the end, etc. You should also know that there are special dictionaries for this which include common names, patterns found on keyboard (e.g. qwerty, azerty, asdf) and other words that you normally wouldn’t find in a dictionary.
Although this sounds very sophisticated, the solution is simple, don’t use meaningful character combinations!
Shoulder surfing
Is the name used in computer security for getting information by looking while someone enters it. By looking over their shoulder. Choosing the right password can also help to prevent shoulder surfing. It wont make it impossible but if you consider the right techniques it’ll make it a lot harder. The first thing is that you should be able to type your password fast. If you can just smash away your password on a keyboard in the blink of an eye there’s very little chance that someone will be able to follow your actions without help from a camera. The speed you can type your password with is of course highly dependant on how you normally type. If you’re used to typing with two fingers it’ll be hard, but if you type with all ten fingers then exercise. Otherwise consider learning to type with ten fingers, might be a very good idea, it’ll serve you in the long term and beyond just typing passwords.
The but-part of this is of course that this doesn’t combine very well with choosing a complex password. Or maybe it just does, because if you have to type a special char and press two or three keys at a time it becomes far more complex to follow for a shoulder surfer. This is of course assuming that you can still type your password relatively fluently. So go practice. The other thing is that you could put a easy to type part along with a hard to type but also hard to brute force part. In theory someone could combine this with brute-forcing, but in practice that’s highly unlikely.
Hash tables, a technical side note
There’s one more type of attack we should consider. That’s the use of hash tables. Many systems, such as windows and online services store passwords in the form of a hash. This is a highly complex string generated based on the password but in such a way that it’s irreversible. Meaning that multiple input strings could lead to the same hash, but due to the nature of the generating algorithm and the complexity of the hash string this is highly unlikely. The secure thing about this is that the software doesn’t need to store your password anymore, but only a one way derivate of it. Now the software can just derive the hash from the password you enter and check it against the hash stored in the database.
This has made it considerably more difficult for attackers, because the calculation of a hash takes relatively long compared to normal password verification methods and thus making a brute force attack much less feasible. That’s why new attacking methods have been developed. Attackers have just generated a list of all possible passwords with the accompanying hash. Now they only have to look for the hash in their table and look at the string use to generate. This is much quicker than brute forcing.
But the downside of this is that it takes a lot of computing power to generate such a list. Think about 25+ computers running for a month to generate a useable list. Also the file sizes can grow very big. Think tens of gigabytes. But this is worth it, because only one attacker has to generate the list and can then redistribute it to others.
The good thing for us to know is that these attackers target only the most common passwords, because they don’t know what they’re going to attack when they generate the list. This means they try to distribute their resources evenly and last time I checked the tables went up to 14 characters of a-z, A-Z, 0-9, !@#$%^&*(). So if your password exceeds those criteria you’re safe.
![[del.icio.us]](http://www.bit-byters.net/wp-content/plugins/bookmarkify/delicious.png)
![[Digg]](http://www.bit-byters.net/wp-content/plugins/bookmarkify/digg.png)
![[Facebook]](http://www.bit-byters.net/wp-content/plugins/bookmarkify/facebook.png)
![[LinkedIn]](http://www.bit-byters.net/wp-content/plugins/bookmarkify/linkedin.png)
![[Twitter]](http://www.bit-byters.net/wp-content/plugins/bookmarkify/twitter.png)
![[Email]](http://www.bit-byters.net/wp-content/plugins/bookmarkify/email.png)